Operations
3/17/2016
10:45 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Back Doors: Recalibrating The Encryption Policy Debate

Three compelling reasons why access to back doors should not be the intelligence and law enforcement community's main policy thrust in the fight against terrorism.

A strange confluence of events has brought encryption to the center of public policy debate in spite of the heated presidential election cycle and other geopolitical current events. Terrorism, Edward Snowden’s NSA leaks, and a constant stream of high-profile breaches that have put citizens’ private data at risk have elevated the discussion that previously existed solely in technical circles. Recent calls by the United States government to gain access to backdoors on  software and sites in order to intercept terrorist communications has increased the emotional volume of the debate, pitting the Administration, intelligence community, and law enforcement against technology companies and privacy advocates.

When focusing on the upside that backdoors provide, government leaders have downplayed the damage to US technology leadership in the world and the economic impact to US technology companies. At the same time, many US technology companies view themselves “above the fray” with international markets key to their businesses. In spite of being US-based companies, they feel that close alignment with the American government puts them at an economic disadvantage. 

This is occurring in what many observers characterize as a policy vacuum surrounding the encryption debate - a victim perhaps of other political issues facing our elected officials. Post-Snowden, Congress has yet to provide clarity to its citizens on the security vs. privacy debate, leaving the Executive Branch unchecked in matters of cybersecurity. In practice, the White House has pushed the policy envelope with regard to citizen privacy. Its engagement with technology companies at the end of 2015 is one example of its attempt to do the right thing, using perceived leverage from heavyweight solutions like backdoors to gain the attention of Silicon Valley.

There is sore need to recalibrate here. I say this from a unique perspective as I come from the intelligence world. But my most recent experiences are with cybersecurity companies that protect United States companies from sophisticated attacks emanating from every corner of the world. I am neither a privacy activist nor corporate executive with vested interests outside the US. I understand that the world is full of bad people who want to do horrible things to our country. Terrorism is a real threat, and the United States needs to maintain its vigilance against future attacks. However, it is imperative that we do so with the understanding of the full set of consequences, both intentended and not.

To put it bluntly, access to backdoors (through escrowed encryption keys or any other technical mechanism) is simply not a viable strategy in the fight against terrorism and should not be our main policy thrust. As tempting as it may be to seak out an “easy” button for this problem, we need more deliberation and more creative options. There are three compelling reasons that we need to eschew backdoors when fighting terrorism:

Reason 1: Providing backdoors to governments – any government – is a bad idea. Engineering students learn early on to avoid single points of failure in their designs. A backdoor provides the most elevated access to any system or software, and can provide that same access to unintended parties, including attackers. Two axioms hold true when dealing with designed backdoors. First, common entry points always get discovered. Once available on the public Internet, systems will be subjected to the constant onslaught from all manner of attackers, including nation-states. Second, the security of systems degrades over time. Once they exist, backdoors will be used, and inevitably someone will make a mistake leading to the (potentially unknown) use of backdoor access by others. This argument doomed the Clipper Chip in the 90’s and highlights the current worry abour the recent Juniper router backdoor disclosure.

Furthermore, what’s to stop other countries from demanding access to these same backdoors? Virtually all the discourse to this point has been in the context of the US government accessing US companies, but imagine the Chinese or Russian government demanding access to the backdoors of Google, Apple, and Facebook as a precondition of these companies selling in their markets? The idea is not far-fetched: in fact, China’s New Network Law is already blurring the line between competition and national security.

Reason 2: Governments have struggled to protect their own data – why give them the keys to all kingdoms? The US Governement currently has a large “trust” problem with its citizens. If we citizens are doubtful that the government can protect its own secrets, why should we entrust them with backdoor access to all of our secrets too? The 21.5 million government workers whose highly sensitive, and damaging, data was lost by OPM are sufficient proof of a crisis in confidence. Even more disconcerting is NSA’s data loss via Snowden. Imagine that rather than publishing gigabytes of NSA memos and presentations, Snowden revealed the private information, collected by NSA, on the Internet. This crisis of confidence in governments is most pronounced in adults below thirty years-old. Any further concentration of government power to access information via backdoors would exacerbate the situation.

Reason 3: Don’t kill the technology goose that lays the golden egg.  US technology product and cloud companies are the economic engine that fills US Treasury coffers. By mandating backdoor access, the US government would put US technology companies at a severe competitive disadvantage, which ultimately weakens their worldwide position of leadership and damages our economy in ways we will never be able to fully quantify. Already, suspicion exists with many international technology buyers. For example, many US companies selling overseas are asked by their prospects to fill out questionnaires that detail how they cooperate with American law enforcement and intelligence agencies. Suffice it to say, it’s doubtful non-US-based companies face the same scrutiny. Eventually, the market will provide more viable alternatives to existing US-based hosting and technology products, but until then much damage can be done.

Backdoors and their many different iterations are not a long-term or viable policy option to fight terrorism. Their intended and unintended consequences far outweigh their benefits. The sooner we move away from any discussion of this approach, the better we will be served. No doubt, we need more creative options from our intelligence and law enforcement community. It’s the implementation of encryption, at either end of the conversation, where opportunities exist for exploitation. This, and other examples, is where our government should focus its efforts – not on the (seemingly) “easy” button. 

Related Content: 

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.